Client Protection

The annual Vermont Bar Association YLD Thaw Bowl was last Friday. Here’s a question that I used:

During a segment of a CLE, I shared my thoughts on two things:

last-minute changes to wire instructions; and,

a prospective out-of-state client who claims to be owed a debt by a Vermonter, and who only communicates with you by e-mail

What general topic was I discussing during that segment of the CLE?

It struck me that many were unfamiliar with the answer: trust account scams.

A lawyer has a duty to safeguard client property & funds. To me, the duty includes employing reasonable safeguards against trust account scams. Is falling for a scam an ethics violation? Not necessarily, but it might be.

I’ll share two scenarios.

Scenario 1

Imagine this: you have a personal checking account at a local bank. The bank notifies you that your money is gone. You are shocked. You learn that someone contacted the bank and directed the funds in your account to be wired to a different account. Your initial reaction might be “and you didn’t check with me to confirm!?!?”

That’s the “last-minute changes to wiring instructions” scenario. Now, flip the scenario: the missing money is a client’s that you were holding.

Granted, the scammers are sophisticated. Often, the change in wiring instructions will appear to have come from the client or opposing counsel.

I can’t stress enough that you can’t be too safe. The 30 seconds you take to call to confirm might be well worth it. When you do, initiate the call to a number that youalready have on file. Don’t call a new number that appears in the change to the wiring instructions. Don’t make the change based on a call to you.

If you think I’m being too cautious, please read this. It’s a post in the ABA Journal about an associate who was scammed into authorizing a $2.5 million disbursement from trust by a last-minute change to wiring instructions. A court order in the ensuing insurance claim is here.

And it’s not just me who is urging caution. Andy Mikell is State Manger & Title Counsel for Vermont Attorneys Title Corporation. I sent him the story of the $2.5 million scam. Here’s part of his response:

“An even newer approach involves the bad guys intercepting communications and then sending FAKE payoff letters to the Closing Attorney so that when seller’s mortgage is paid from the closing, the payoff money goes immediately to the wrong place. Poof!

So, in addition to telling folks to ‘trust no email’, I’m instructing our members to essentially “trust no payoff letter” either. It’s nasty out there but the scheme you forwarded should be preventable. Also, yes, we are telling folks to pay serious attention to their PLI policies. More offices are getting social engineering policies which are designed to insure against the wire scam.”

Andy also sent this article, one that goes into more detail on fraudulent mortgage payoff letters.

Scenario 2

The second scenario involves a scam that has been around even longer. There are many twists, but a few core ingredients:

a prospective client contacts you electronically;

the prospective client claims to be owed money by someone who is in Vermont;

the prospective client wants to hire you to collect the debt;

the prospective client never meets with you or contacts you by telephone.

It’s happened numerous times in Vermont. Usually the prospective client claims to have sold a product to a Vermonter. I’m also familiar with a version in which the prospective client claimed to be a Vermont Guard member who had been deployed out of the country, and whose ex-spouse had failed to pay the appropriate share of the proceeds of the sale of the marital home following a divorce. The prospective client asked the lawyer to enforce the terms of the divorce order.

No matter the variation, the scammers are good. They’ll send you what appear to be legit court orders, contracts & bills of sale. They will have created fake websites, both for themselves and the debtors. So, when you do some cursory research, it will look as if the debtor actually exists and is located in Vermont. Not only that, when you contact the debtor, someone will respond and acknowledge the debt.

Here’s where the rubber meets the road.

Shortly after making contact with the debtor, FedEx or UPS will deliver a check to your office. You will deposit the check into trust, then wire the “client’s” share. Weeks, if not months later, your bank will inform you that the check from the debtor was a fraudulent check. Quite likely, money that belonged to other clients – who are real – will no longer in your trust account.

Magically, the long outstanding debt resolved as soon as you got involved. If it sounds too good to be true, it probably is.

As I argued in this post, it strikes me that this scam is so well-known that falling for it violates the duty to take reasonable safeguards to protect client funds.

Last week, Lawyer was set to represent Buyer in a purchase of property. Buyer intended to fund the purchase with Buyer’s own money. Lawyer provided Buyer with instructions on how to wire the funds ($110,000) to Lawyer’s trust account.

Two days before closing, Buyer received a text message with revised wiring instructions. Buyer did not call, e-mail, or otherwise confirm the change with Lawyer. Buyer instructed bank to wire the funds to the account reflected in the text message.

It was a scam.

As pointed out in last week’s blog, lawyers should confirm with clients upon receiving a last-minute change to wiring instructions. Lawyers should instruct clients to do the same and, in addition, inform clients that it is highly unlikely that a lawyer’s wiring information will change in the day or too before a closing.

Of course, the latest scam raises a question as to how the scammer knew to text Buyer. Did Lawyer fail to take reasonable precautions to safeguard client information? For now, it’s too early to tell.

The post began with an analysis of how Rules 1.1 and 1.6 work together to impose a duty to act competently to safeguard client information, including information that is stored and transmitted by electronic means.

From there, I walked readers through a series advisory ethics opinions. Over time, the opinions moved from concluding that the duty to act competently to safeguard client information did not include a duty to encrypt to concluding that it might.

I stated that, at the very least, lawyers had a duty to warn clients about the risks associated with unencrypted electronic communications. Then, I wrote:

“My sense is that we will soon reach, if we haven’t already reached, a day upon which it will not be considered reasonable to transmit client information via unencrypted email. Encryption is not as difficult or expensive as it used to be and more secure alternatives are readily available.”

Opinion 477 concludes that lawyers must make reasonable efforts to safeguard client information. It states that “[w]hat constitutes reasonable efforts is not susceptible to a hard and fast rule, but rather is contingent upon a set of factors.” That is, lawyers must employ a “fact-based analysis” when transmitting & storing client information. Factors in the analysis include:

the sensitivity of the information,

the likelihood of disclosure if special safeguards are not used,

the cost of using special safeguards, and

the difficulty of using special safeguards.

With respect to these factors, the opinion concludes that lawyers must, on a case-by-case basis, constantly analyze how they communicate electronically about client matters . . . to determine what effort is reasonable.”

The opinion makes clear that lawyers must remain cognizant that the analysis will change as technology evolves. In other words, what’s reasonable today might not be reasonable in 2020.

More importantly, what was unreasonable in 1997 might be reasonable today. For example, as the opinion notes, “a fact-based analysis means that particularly strong protective measures, like encryption, are warranted in some circumstances.”

If you take anything away from this, as usual, let it be my refrain that “competence includes tech competence.” For, if you find yourself in times of trouble, it will not be acceptable to respond “but that tech stuff is too complicated!”

It isn’t.

As technology evolves, so evolves the standard of “reasonable efforts to safeguard client information.”

Many of you spend a lot of time advising your clients to prepare for the worst. Have you taken the time to protect your clients if the worst happens to you?

An unexpected diagnosis. A car accident. A skiing mishap. What if you had been away during Hurricane Irene, unable to return to Vermont for that trial, or that deposition, or that closing?

No matter the reason, what if you are not available? Will your clients be protected?

Does anyone know where your files are? Or where you keep your schedule and deadlines? Or the password to your cloud storage platform? Or how to access your trust account?

Rule 1.3 of the Vermont Rules of Professional Conduct requires lawyers to act with reasonable diligence while representing a client. Comment 5 to Rule 1.3 states that “to prevent neglect of client matters in the event of a sole practitioner’s death or disability, the duty of diligence may require that each sole practitioner prepare a plan, in conformity with the applicable rules, that designates another competent lawyer to review client files, notify each client of the lawyer’s death or disability, and determine whether there is a need for immediate protective action.”